All geek questions in one place

Redirecting from HTTP to HTTPS with Simple Auth

I was hoping to get some recommendations on how to handle user redirection from HTTP to HTTPS using an ember-initializer with ember-simple-auth.

`import ENV from 'cio/config/environment'` SSLInitializer = name: 'ssl' before: 'simple-auth-cookie-store' initialize: (container, application) -> application.deferReadiness() # Redirect if hitting HTTP and SSL is enabled if ENV.SSL and window.location.protocol is "http:" window.location.href = "https:" + window.location.href.substring(window.location.protocol.length) return false application.advanceReadiness() `export default SSLInitializer`

But it seems that the cookie is getting invalid even if the if statement evaluates to true. I have tried several things, including:

  • before: 'simple-auth'
  • before: 'store'
  • application.destroy () in the if statement, before setting window.location.href

From what I can say after debugging. The application redirects HTTPS, but then the cookie name was not found in document.cookie. ( https://github.com/simplabs/ember-simple-auth/blob/master/packages/ember-simple-auth-cookie-store/lib/simple-auth-cookie-store/stores/cookie.js#L154 )

Before this method worked, because we had a simple snippet in index.html, but w / CSP we would like to save it in the initializer. Any recommendations?

Thanks!

+6
source share
1 answer

You really have to force a redirect from HTTP to HTTPS from the server, since doing this from the client does not add any real security.

Think about it, the user downloaded the application into his browser from an insecure endpoint, and from that moment nothing can be trusted. Even server redirection is problematic because it relies on recommendations for redirection from an untrusted endpoint. Users must really access things from their initial trusted starting point, otherwise all bets will be disabled. This is called a secure referral problem and will probably never be resolved due to the business model behind SSL certificates.

You also should not trust cookies from an untrusted HTTP domain in a trusted HTTPS domain unless you can authenticate these cookies on the client. The exchange of cookies between HTTP / HTTPS is described in RFC 2109 (section 4.2.2 Set-Cookie Syntax).

It means:

  • A set of cookies with "Safe" will be available only on HTTPS
  • A cookie set without "Secure" will be available on HTTP or HTTPS.
+4
source

Source: https://habr.com/ru/post/979926/

More articles:


All Articles